Re: [RFC v2 01/13] x86/mktme: Document the MKTME APIs

From: Alison Schofield <alison.schofield@intel.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: dhowells@redhat.com, tglx@linutronix.de, jmorris@namei.org,
	mingo@redhat.com, hpa@zytor.com, bp@alien8.de, luto@kernel.org,
	peterz@infradead.org, kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com, kai.huang@intel.com,
	jun.nakajima@intel.com, dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com, keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-mm@kvack.org,
	x86@kernel.org
Subject: Re: [RFC v2 01/13] x86/mktme: Document the MKTME APIs
Date: Wed, 5 Dec 2018 11:22:55 -0800	[thread overview]
Message-ID: <20181205192255.GA988@alison-desk.jf.intel.com> (raw)
In-Reply-To: <4ED70A75-9A88-41B4-B595-87FB748772F9@amacapital.net>

On Wed, Dec 05, 2018 at 10:11:18AM -0800, Andy Lutomirski wrote:
> 
> 
> > On Dec 3, 2018, at 11:39 PM, Alison Schofield <alison.schofield@intel.com> wrote:
> 
> I realize you’re writing code to expose hardware behavior, but I’m not sure this
> really makes sense in this context.

Your observation is accurate. The Usage defined here is very closely
aligned to the Intel MKTME Architecture spec. That's a starting point,
but not the ending point. We need to implement the feature set that
makes sense. More below...

> > +
> > +    type=
> > +        *user*    User will supply the encryption key data. Use this
> > +                type to directly program a hardware encryption key.
> > +
> 
> I think that “user” probably sense as a “key service” key, but I don’t think it is at all useful for non-persistent memory.  Even if we take for granted that MKTME for anonymous memory is useful at all, “cpu” seems to be better in all respects.
> 
> 
> Perhaps support for “user” should be tabled until there’s a design for how to use this for pmem?  I imagine it would look quite a bit like dm-crypt.  Advanced pmem filesystems could plausibly use different keys for different files, I suppose.
> 
> If “user” is dropped, I think a lot of the complexity goes away. Hotplug becomes automatic, right?

Dropping 'user' type removes a great deal of complexity.

Let me follow up in 2 ways:
1) Find out when MKTME support for pmem is required.
2) Go back to the the requirements and get the justification for user
type.

> 
> > +        *cpu*    User requests a CPU generated encryption key.
> 
> Okay, maybe, but it’s still unclear to me exactly what the intended benefit is, though.
*cpu* is the RANDOM key generated by the cpu. If there were no other
options, then this would be default, and go away.

> > +        *clear* User requests that a hardware encryption key be
> > +                cleared. This will clear the encryption key from
> > +                the hardware. On execution this hardware key gets
> > +                TME behavior.
> > +
> 
> Why is this a key type?  Shouldn’t the API to select a key just have an option to ask for no key to be used?

The *clear* key has been requested in order to clear/erase the users
key data that has been programmed into a hardware slot. User does not
want to leave a slot programmed with their encryption data when they
are done with it.

> > +        *no-encrypt*
> > +                 User requests that hardware does not encrypt
> > +                 memory when this key is in use.
> 
> Same as above.  If there’s a performance benefit, then there could be a way to ask for cleartext memory.  Similarly, some pmem users may want a way to keep their pmem unencrypted.

So, this is the way to ask for cleartext memory.
The entire system will be encrypted with the system wide TME Key.
A subset of that will be protected with MKTME Keys.
If user wants, no encrypt, this *no-encrypt* is the way to do it.

Alison
> 
> —Andy